Federal government (FTC) holds businesses liable for failing to protect customer data
FTC– Converting Data Breaches to Intrusion Disruption
Irony of ironies: the federal government that exposed millions of personnel records and created the insecure Obama HealthCare.gov system now wants to heavily fine companies that fail to protect consumer information.
Based on a recent U.S. Circuit Court of Appeals decision, the Federal Trade Commission (FTC) can find businesses at fault for data breaches and tie them up with consent decrees that force them to submit to third-party security assessments every two years for up to 20 years. Business and IT executives need to understand the implications of the ruling and ensure they can demonstrate they have implemented and are monitoring "reasonable" security practices.
A recent 3-0 U.S. Third Circuit Court of Appeals ruling shot down Wyndham Worldwide Corp.'s claim that federal law does not give the FTC the power to penalize companies for poor security policies and procedures that results in customer-related data theft.
The unanimous ruling makes it perfectly clear that the FTC does have authority to regulate the handling of information security. This authorized expansion of authority should be quite troubling to all corporate and senior IT executives.
In the past the FTC has only gone after businesses that have failed to implement reasonable security measures for data entrusted to them by consumers. Wyndham, for example, suffered three data breaches in 2008 and 2009 and failed to encrypt credit card data. There have been more than 50 cases pursued by the FTC and all but Wyndham and one other signed consent decrees. The one that did not sign a consent decree is going out of business.
What represents reasonable security measures is in the eye of the beholder. In this case the FTC (the beholder) approach to data security reasonableness is as follows: "a company's data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities."
While some organizations are exempt from FTC authority – such as banking and healthcare – others must be sure to comply with the FTC's view of reasonableness.
FTC's 10 Step Security Guide
The 10 steps detailed in the guide are as follows:
1. Start with security
2. Control access to data sensibly
3. Require security passwords and authentication
4. Store sensitive personal information securely and protect it during transmission
5. Segment your network and monitor who is trying to get in and out
6. Secure remote access to your network
7. Apply sound security practices when developing new products
8. Make sure your service providers implement reasonable security measures
9. Put procedures in place to keep your security current and address vulnerabilities that may arise
10. Secure paper, physical media and devices.
The guide describes the steps in greater detail and provides practical guidance on how to reduce the risks they pose. Surprisingly, the FTC has taken a very sensible approach to security and the easy-to-read guide offers good advice on how to comply and avoid security pitfalls.
Next- Monitoring Security Compliance- 3 key metris
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.